Teaching Network Security with IP Darkspace Data Tanja Zseby, Felix Iglesias Institute of Telecommunications Faculty of Electrical Engineering and Information Technology TU Wien September 9, 2019
TU Wien Network Security Classes • Two Security Courses for Master students – Theory Lectures (6 x 90 min) è written exam – Lab Exercises (6 x180 min), Teams of 2 è Report – Lab Review (oral exam) – Classes offered since 2014, continuously updated – 2014: 35 students è 2019: 88 students • 1. Network Security – Lab: IP Darkspace Analysis – Data: CAIDA IP darkspace data • 2. Network Security Advanced – Lab: Network Steganography – Data: Modified MAWI Dataset (WIDE) T. Zseby, DUST 2019 2 2019-09-09
Educational Objectives • Research-oriented teaching concept – Include current research in the classroom • Class objectives: – Familiarize students with network data analysis methods – Provide students in-depth understanding of TCP/IP flow behavior – Deepen students' network security knowledge – Enable students' general scientific work skills – Increase exploratory and forensics analysis skill – Awaken the scientist in each student T. Zseby, DUST 2019 3 2019-09-09
Students • International students – Different bachelor programs è Different skills • Different Masters programs – Electrical engineering • Telecommunications • Embedded Systems – Computer Science – Future: Data Science Master • Ideal: if students from different programs team up – EE students with matlab, signals and systems experience – CS students with programming and Linux skills T. Zseby, DUST 2019 4 2019-09-09
NetSec Lab: IP Darkspace Analysis • CAIDA IP Darkspace Data (Telescope Data) – Each Team gets different set of IP darkspace data – Students required to use recommended tools Attacker • Exercises pcap 1. preprocessing/ tcpdump wireshark aggregation corsaro/silk flowtuples, csv IPa … IPn normal normal normal 2. Uni/bivariate analysis host host host matlab Darkspace 3. Time Series RapidMiner 4. FFT Report T. Zseby, DUST 2019 5 2019-09-09
Example Exercises T. Zseby, DUST 2019 6 2019-09-09
Data Analysis (Examples from Reports) Distributions Time Series TTL Temporal Patterns (FFT) Scatterplots T. Zseby, DUST 2019 7 2019-09-09
Identifying Backscatter i Attacked HTTP server 80 j Dark space TCP SYN with 80 k spoofed srcIPs n i j k … n TCP, 0x12 (SYN-ACK) Attacker/s T. Zseby, DUST 2019 8 2019-09-09
Student Feedback [feedback provided by 14 students] what did you enjoy most? “labs were fun and engaging ” “the moments: when you successfully finish an exercise” What could be improved? “tool-tutorials before the class ” “more free exploration exercises” “more exercises!; to be honest, I could have done another three exercises, it was fun!” T. Zseby, DUST 2019 9 2019-09-09
(Some) Lessons Learned • Working with real measurement data – Boosts motivation, triggers research spirit – Encourages to check theory vs. reality – Teaches responsible handling of data – Unique data set per team è cheating detection • But: A lot of effort – Maintaining lab environment – Correcting reports – Unexpected effects è need to check data before • Enforce pre-requisites • Form heterogeneous teams • Introduce variety of tools, then allow free choice • “Keep it Fun!” (story, easter eggs) T. Zseby, DUST 2019 10 2019-09-09
Benefits • Students work with real data – A lot of positive responses • Students learn about attacks – Scanning – Backscatter – But: only some attacks visible and mainly missed attack attempts, attack consequences not the attack itself • Plenty of data available – Every team can get own data set – Teams may discover new things T. Zseby, DUST 2019 11 2019-09-09
Limitations/Challenges • General limitations of darkspace traffic – No bi-directional flows, no connections – No Labels (not suitable for testing algorithms) • Operational limitations – Huge files, huge effort for getting most recent data – No filter options – Data needs to stay in lab (students sign CAIDA agreement) • Anonymization – Limits analysis options (e.g., geolocation) • è 2019 lab used only aggregated DS data – Now students do own attacks, preprocessing exercises with captured data T. Zseby, DUST 2019 12 2019-09-09
Whish List 1: Providing Data • Offer customized data files – Data in different formats and sizes (file sizes, time intervals) – Different aggregation schemes – Filtered data (e.g., removing repetitive instances, 445 scans, etc.) – Pre-processed data (10-min captures, flows, time- series, etc.) – Ideal: flexible filter/aggregation options (different flow keys, time series,…) • Provide Labels – Automatized analysis – Provide classification tools, scripts T. Zseby, DUST 2019 13 2019-09-09
Wish List 2: Remote Data Analysis • Possibilities for students to work on data remotely – Remote work environment for multiple teams – Working on most recent data • Provide standard analysis environments – Standard tools and programming environments – e.g., matlab, python, scikit-learn, Rapidminer? – Repeatability • Still provide the possibility to download parts – User friendly query options ("time period", "signals", "sampling time", "filtering options”) • Provide info material, examples, tutorials – Possibility to share/discuss findings with others (CAIDA researchers, other groups? T. Zseby, DUST 2019 14 2019-09-09
Available Material • IP Darkspace Data è available at CAIDA • MAWI Data: http://mawi.wide.ad.jp/mawi/ • Teaching material è available to other teachers – Exercise Sheets – Solver scripts – Report templates – Evaluation and Grading Scheme http://www.tc.tuwien.ac.at/netsec-lab Zseby, Iglesias, King, Claffy: " Teaching Network Security With IP Darkspace Data "; IEEE Transactions on Education, 59 (2015), 1; 1 - 7. Zseby, Iglesias, Bernhardt, Frkat, Annessi: " A Network Steganography Lab on Detecting TCP/IP Covert Channels "; IEEE Transactions on Education, 59 (2016), 3; 224 - 232. T. Zseby, DUST 2019 15 2019-09-09
Thank you! tanja.zseby@tuwien.ac.at
Recommend
More recommend
